Your message dated Tue, 10 Jan 2017 01:03:29 +0000 with message-id <e1cqkqx-000fsa...@fasolo.debian.org> and subject line Bug#793770: fixed in netty-3.9 3.9.9.Final-1 has caused the Debian Bug report #793770, regarding Cookie parsing bug may lead to 'HttpOnly' cookie bypass (CVE-2015-2156) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 793770: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793770 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: netty-3.9 Version: 3.9.0.Final-1 Severity: important Tags: security upstream patch LinkedIn Security Team discovered a "Cookie" header parsing bug in Netty that could lead to universal bypass of the HttpOnly flag on cookies. If the HttpOnly flag is included in the HTTP Set-Cookie response header, the cookie cannot usually be accessed through client-side script. This bug can be however leveraged to leak the cookie's name-value in the DOM, where a malicious script can access the content without any restriction. CVE-2015-2156 has been assigned for this issue, which has been fixed upstream in release 3.9.8.Final and 3.10.3.Final. Please mention the CVE ID in the changelog when fixing this issue. References: * Security update http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html * Issue technical details / PoC http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156 * Fixing commit https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27b5a8f79b8 Cheers, Luca
--- End Message ---
--- Begin Message ---Source: netty-3.9 Source-Version: 3.9.9.Final-1 We believe that the bug you reported is fixed in the latest version of netty-3.9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 793...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated netty-3.9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 10 Jan 2017 00:01:59 +0100 Source: netty-3.9 Binary: libnetty-3.9-java Architecture: source all Version: 3.9.9.Final-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libnetty-3.9-java - Java NIO client/server socket framework Closes: 793770 Changes: netty-3.9 (3.9.9.Final-1) unstable; urgency=medium . * Team upload. * New upstream release (Closes: #793770) - Refreshed the patches - New dependencies on libjboss-logging-java, libbcpkix-java and libnetty-tcnative-java - Disabled NPN support (obsolete and missing dependencies) * Switch to debhelper level 10 * Modified the watch file to track the 3.9.x releases from Git Checksums-Sha1: e7bc95114e87170af494dcb291abcbfe528c1156 2252 netty-3.9_3.9.9.Final-1.dsc 36c30d7e885969641af36274e3b25d1965343d61 502444 netty-3.9_3.9.9.Final.orig.tar.xz 02d55985469035ef5388dad2e55724508278fe30 4000 netty-3.9_3.9.9.Final-1.debian.tar.xz 7ef49a4241d6bd1235b266af0869f28c01d9bb99 1149414 libnetty-3.9-java_3.9.9.Final-1_all.deb edb9fa8dab8d99e1ceb118aa3e54c755faf6aa34 13641 netty-3.9_3.9.9.Final-1_amd64.buildinfo Checksums-Sha256: b3efff1eb8b85a7efc57a71d63491d7e661b17f1f0449dd579d4569c986cb0e1 2252 netty-3.9_3.9.9.Final-1.dsc 5177942a2c066eb8f0519cba2082351a69069776296eebdca8cd8c3453d46315 502444 netty-3.9_3.9.9.Final.orig.tar.xz 57513517a76f1dd84c63ff249a894f7478cae5cfb765418bb28af8733b93819f 4000 netty-3.9_3.9.9.Final-1.debian.tar.xz 32c8cbcdd248c0bc21433a20f3bdd4c80b3f11b9e6a84b5a26aac51f49785f2e 1149414 libnetty-3.9-java_3.9.9.Final-1_all.deb 3ae9ed8b34a1f3bc9ae17d9cb8ad9ab3ede5c17719e024d587ee3c960d6bd05f 13641 netty-3.9_3.9.9.Final-1_amd64.buildinfo Files: 53649a1eabe51b4fadadee2d4f249785 2252 java optional netty-3.9_3.9.9.Final-1.dsc 9d4ad8a3e87b2b13529868980b408be4 502444 java optional netty-3.9_3.9.9.Final.orig.tar.xz ac1346051a3f3323947bd5ecbec28295 4000 java optional netty-3.9_3.9.9.Final-1.debian.tar.xz 5d46fe7a78668961d20cf78bf2b9a5ac 1149414 java optional libnetty-3.9-java_3.9.9.Final-1_all.deb 92b363034784a9588560a0344fc08903 13641 java optional netty-3.9_3.9.9.Final-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlh0LrQACgkQ9RPEGeS5 0KxVZg/5AShDKfzd06QXCETbeZmsC5jQ3HpVsINju8qvCEQ//48T9LJamUWOYdUG l0UTzBcQJABSMVV0I9iBZ5ex/OvFpss7Qn8V7XoFMFWkzbOKuBlZgqf1XSdVYXFB MpSC0ZuJA2f8LSGAho3tlzPuv+8Tzc6WYmtmgPhHYf0hzVMX2Gkco2M4Kx4vV20W ZyLz2o/nIY/UqmgIWQ7GDUHOsQQDIt1Qu4LBGgumAxpVyTh32MmyLcSWGKrOTaHm bDVcMnQeVGLtROxrC3DYA4wJaNBKW+fHqRjBc1hoK8bPBMpRSVDoez9EQwDNB7PL dozoCisKiX/FENSMeFDdNp7PQq7soGwhb0XWxj4OwJb5UwkuD9goo2qUShW99PSb L4j09DC2Q//kflHSaIHxB+TmBD9psQb9XIXG751RFo6/rk2d3H1ReIlLYTCgLrKK 0goCn/mUpVMartXGvjXLMR5RjgwpnAZ+1IidrOpzCn3HUVFghz/symdiWViemQSV PROLnwQMU0CKUdsgqAyMJUMxXneBnNdy9b6d2iY/0E4T/hv6La1gHlezSEjHKLxQ x39ncFXMzNyINybmEtOhsPGvdjTjwZF1daXIpP5xLhPnBMPGfIiePFt8i2IzjJ92 6fa8mEuJUQbD6VLsRELm2u/Zar2yiKOvKjG4/q+w1n7nq0Ww5tI= =IjE0 -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
